Archive for: March, 2012

Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

Password Anti-Pattern

Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

OAuth (The Right Way)

Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

Fixing the Open Shares Problem

I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone, Domain Users and Authenticated Users. After removing the everyone group from several folders, they began to receive help desk calls from people who had been actively accessing data through those global access groups prior to their removal, and were now unable to perform their daily activities because they had lost access. This went on for two weeks or so—each time someone called, they had to apologize for the disruption, and quickly add that user to a group on the folder’s ACL.

According to the administrator, the manual process took about 6 hours per folder. With the number of folders they had found, this would mean about 3 months of work for 4 people–quite a time consuming effort. How were they going about fixing these manually? Here is a rough outline of the steps they used:

  1. Identify folders open to the global access groups, like everyone, authenticated users, domain users, and users
  2. Turn on object access success auditing for those folders and collect as much audit data as the server could stand
  3. Analyze the audit activity to try to create a list of users that access these folders
  4. Determine the users that have no way to access those folders other than the global access group you’re trying to remove
  5. Add users from step 4 to a group that’s on the folder’s ACL, or create a new group and add the users (assuming those users are supposed to have access)
  6. Remove the global access group
  7. Wait by the phone

Despite their painstaking process, the voluminous audit logs and the complexity of their permissions made it impossible to remove global access groups without disrupting their users’ workflow. That’s a lot of effort to go through to end up with unhappy users. This is one example, but IT often finds itself in this dilemma when trying to fix open shares: leave the data exposed and run the risk of data theft, loss, or misuse, or lock the folders down and risk productivity should a user or users be cut off from data they need.

In a future post we’ll talk about how to clean up open shares using the simulation capabilities available with a metadata framework.

Improve Data Protection, Win $500 Gift Card

Regulation in IT is nothing new, especially for those of us who’ve ever worked in the financial, government or health care sectors. What’s changing is the breadth of regulations–how much we actually need to do–and the types of information and systems these regulations apply to. No longer is it just the mainframes and other transactional systems, for instance. People now have to ask themselves “How safe is our unstructured data?” and  “Are we in compliance with new regulations?” One comment I heard recently was along the lines of, “The terrifying thing is that we have no idea whether anything on the NAS is subject to regulation because we’ve never done anything to audit it.” Of course, data security has always been a concern but with the growing threat from internal and external breaches, and a new major Wikileaks story in the news seemingly every month, companies are up against a wall and need some help to analyze the scope of the problem and figure out solutions. I think many of us would just like some help knowing where to begin.

At Varonis we have a lot of experience helping our customers with these problems, and we want to help you see where you stack up compared to other organizations. Take our free 2 minute assessment on your data protection preparedness and we’ll enter you to win a $500 gift card! Click here to access the assessment or copy the following link into your browser:

Everyone who fills out the survey will get our comprehensive report on the state of data protection preparedness once the results have been analyzed.

Case Study: Matanuska Telephone Association

Matanuska Telephone Association (MTA) is a co-operative telecommunications service provider that offers its members local telephone services, high-speed Internet access, wireless phone service, digital television and managed business services.

Like many organizations, there were occasions when MTA’s employees would inadvertently move, rename, or accidentally delete files. Finn Rye, MTA’s Information Security Officer, and his team would try to locate or recover the information. The hours spent manually tracking down data were significant, which meant that Rye’s team was often unable to attend to other, more pressing matters.

Further, for internal compliance requirements, MTA’s Performance Integrity office mandates that Rye’s team be able to verify who has access to which data and what files those individuals actually access.

MTA recently deployed Varonis® DatAdvantage® for Windows. DatAdvantage provides a searchable and sortable complete audit trail, which includes “delete” events in files and folders. The Audit Trail provided Rye’s team the ability to find deleted or moved files and to determine how it happened.

“Without DatAdvantage®, we simply weren’t able to do the investigation or incident responses we can now,” Rye said.

Rye’s team has configured automatic alerts and reports to obtain the visibility and control they needed, fulfilling their compliance requirements. Now they can identify sensitive files and folders, and determine who should and should not have access to them.

“It was virtually impossible before Varonis®,” he said. “We just didn’t have the logging capacity or a way to search in an efficient manner.”

Varonis® DatAdvantage® for Windows provided MTA ability to analyze and audit access, visibility into their permissions structure and actionable intelligence on how to remediate excessive permissions; this is why MTA chose Varonis. To read the complete case study, click here.

Finn Rye is MTA’s information security officer – his department oversees the company’s information security initiatives for MTA’s 400+ full-time employees.

In Data Security, You’re Only As Strong As Your Weakest Link

Reporter: “Why do you rob banks?”

Willie Sutton (bank robber): “Because that’s where the money is.”

That’s Sutton’s law.  It seems obvious, but it’s so very true.  The law also holds true for hackers– they will attack systems that  store valuable data.

So where might that be?  My first guess would be the iron-clad data centers of the world’s largest banks, pharmaceutical companies, defense contractors, governments, and Fortune 500 corporations.  They are the big juicy targets, right?  But attractive targets aren’t necessarily easy targets.

Today, banks and other high profile institutions have state-of-the-art data protection in the form of firewalls, two-factor authentication, sophisticated encryption, and Varonis.  Hence the term “bank-level security.”  As a result, hackers have to weigh the value of a successful attack against the difficulty of breaching the target.

What if there were a way to seize a corporation’s digital secrets without having to penetrate their heavily fortified walls?  A group of Chinese hackers figured out a rather cunning way to do it – infiltrate the company’s much more vulnerable law firm instead!

According to Mandiant, a Virginia-based security firm, 80 major US law firms were hacked last year.  Clearly, law firms are becoming a primary back door that hackers are using to gain access to valuable corporate data.  But it’s not just law firms we have to worry about, unfortunately.

Any time you send an email to another party—e.g., law firms, accountants, consultants—or transfer confidential documents to DropBox or Google Docs, you’re implicitly trusting that they take security as seriously as your own security admins do, and that they can determine, at all times, who can access your data and who is accessing your data.

The fact is that many organizations, including the growing number of cloud service vendors, haven’t even scratched the surface when it comes to serious data protection and security.  The message is clear: start now.  Your customers will demand it.